Beyond Linux® From Scratch - Version 7.7

Chapter 4. Security

MIT Kerberos V5-1.13.1

Introduction to MIT Kerberos V5

MIT Kerberos V5 is a free
implementation of Kerberos 5. Kerberos is a network authentication
protocol. It centralizes the authentication database and uses
kerberized applications to work with servers or services that
support Kerberos allowing single logins and encrypted communication
over internal networks or the Internet.

This package is known to build and work properly using an LFS-7.7
platform.

Now re-verify the package with the first command above. You should
get a indication of a good signature, but the key will still not be
certified with a trusted signature. Trusting the downloaded key is
a separate operation but it is up to you to determine the level of
trust.

To test the build, issue: make
check. You need at least Tcl-8.6.3, which is
used to drive the testsuite. Furthermore, DejaGnu-1.5.2
must be available for some of the tests to run. If you have a
former version of MIT Kerberos V5 installed, it may happen that the
test suite pick up the installed versions of the libraries, rather
than the newly built ones. If so, it is better to run the tests
after the installation.

Command Explanations

sed -e ...: The first
sed fixes
Python detection. The second one
increases the width of the virtual terminal used for some tests, to
prevent some spurious characters to be echoed, which is taken as a
failure.

--localstatedir=/var/lib:
This parameter is used so that the Kerberos variable run-time data
is located in /var/lib instead of
/usr/var.

--with-system-et: This
switch causes the build to use the system-installed versions of the
error-table support software.

--with-system-ss: This
switch causes the build to use the system-installed versions of the
subsystem command-line interface software.

--with-system-verto=no:
This switch fixes a bug in the package: it does not recognize its
own verto library installed previously. This is not a problem, if
reinstalling the same version, but if you are updating, the old
library is used as system's one, instead of installing the new
version.

--enable-dns-for-realm:
This switch allows realms to be resolved using the DNS server.

mv -v /usr/bin/ksu
/bin: Moves the ksu program to the /bin directory so that it is available when the
/usr filesystem is not mounted.

--with-ldap: Use this switch if you
want to compile OpenLDAP database
backend module.

Configuring MIT Kerberos V5

Config Files

/etc/krb5.conf and /var/lib/krb5kdc/kdc.conf

Configuration Information

Kerberos
Configuration

Tip

You should consider installing some sort of password checking
dictionary so that you can configure the installation to only
accept strong passwords. A suitable dictionary to use is
shown in the CrackLib-2.9.2 instructions. Note that
only one file can be used, but you can concatenate many files
into one. The configuration file shown below assumes you have
installed a dictionary to /usr/share/dict/words.

Create the Kerberos configuration file with the following
commands issued by the root
user:

You will need to substitute your domain and proper hostname for
the occurrences of the <belgarath> and
<lfs.org>
names.

default_realm should be the name of
your domain changed to ALL CAPS. This isn't required, but both
Heimdal and MIT recommend it.

encrypt = true provides encryption
of all traffic between kerberized clients and servers. It's not
necessary and can be left off. If you leave it off, you can
encrypt all traffic from the client to the server using a
switch on the client program instead.

The [realms] parameters tell the
client programs where to look for the KDC authentication
services.

The [domain_realm] section maps a
domain to a realm.

Create the KDC database:

kdb5_util create -r <LFS.ORG> -s

Now you should populate the database with principals (users).
For now, just use your regular login name or root.

The KDC server and any machine running kerberized server
daemons must have a host key installed:

kadmin.local: addprinc -randkey host/<belgarath.lfs.org>

After choosing the defaults when prompted, you will have to
export the data to a keytab file:

kadmin.local: ktadd host/<belgarath.lfs.org>

This should have created a file in /etc named krb5.keytab (Kerberos 5). This file should
have 600 (root rw only)
permissions. Keeping the keytab files from public access is
crucial to the overall security of the Kerberos installation.

Exit the kadmin
program (use quit
or exit) and
return back to the shell prompt. Start the KDC daemon manually,
just to test out the installation:

/usr/sbin/krb5kdc

Attempt to get a ticket with the following command:

kinit <loginname>

You will be prompted for the password you created. After you
get your ticket, you can list it with the following command:

klist

Information about the ticket should be displayed on the screen.

To test the functionality of the keytab file, issue the
following command:

ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: l

This should dump a list of the host principal, along with the
encryption methods used to access the principal.

At this point, if everything has been successful so far, you
can feel fairly confident in the installation and configuration
of the package.

is used to authenticate to the Kerberos server as a
principal and acquire a ticket granting ticket that can
later be used to obtain tickets for other services.

klist

reads and displays the current tickets in the credential
cache.

kpasswd

is a program for changing Kerberos 5 passwords.

kprop

takes a principal database in a specified format and
converts it into a stream of database records.

kpropd

receives a database sent by kprop and writes it as
a local database.

krb5-config

gives information on how to link programs against
libraries.

krb5kdc

is the Kerberos 5
server.

ksu

is the super user program using Kerberos protocol.
Requires a properly configured /etc/shells and ~/.k5login containing principals
authorized to become super users.

kswitch

makes the specified credential cache the primary cache
for the collection, if a cache collection is available.

ktutil

is a program for managing Kerberos keytabs.

kvno

prints keyversion numbers of Kerberos principals.

sclient

used to contact a sample server and authenticate to it
using Kerberos 5 tickets, then display the server's
response.

sserver

is the sample Kerberos 5 server.

libgssapi_krb5.so

contain the Generic Security Service Application
Programming Interface (GSSAPI) functions which provides
security services to callers in a generic fashion,
supportable with a range of underlying mechanisms and
technologies and hence allowing source-level portability
of applications to different environments.